The $1.7M fine levied on the Alaska Department of Health and Social Services should peak the interest of compliance officers and risk managers across the healthcare industry.
One stolen USB storage drive. 501 Medicare beneficiaries. A mandatory report to OCR with its customary investigation. A $1.7M fine. A Resolution Agreement. A Corrective Action Plan. Three years of independent monitoring of its compliance.
These are the new stakes associated with data breaches. In looking specifically to the Corrective Action Plan documented for the Alaska DHSS, its obligations include:
- Remediation, Update and Dissemination of Policies and Procedures
- Workforce Training
- Risk Analysis and Risk Management Process Remediation
- Designation of an Independent Monitory for a period of 3 Years
Visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html for the detail on the OCR’s enforcement in this case.
Would a reported breach open a Pandora’s Box in your organization? Most of you that we speak with have a fair amount of anxiety about the health of your HIPAA/HITECH privacy and security compliance posture, but continue to struggle to get executive sponsorship and budget for activities that you consider essential and fundamental to your operations and compliance mission.
The circumstances of this breach provide you the “conversation starter” that you may need to engage or re-engage your leadership around HIPAA/HITECH compliance. Further, the comments offered by OCR affirm what we have learned through the HIPAA Audit Program about our industry’s opportunities for improvement and compliance program priorities.
Contact us if we can be of assistance.